Operations // Careers & People
5/27/2014
06:00 AM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Dark Reading Radio: The Real Reason Security Jobs Remain Vacant

Join us Wednesday, May 28, at 1:00 p.m. Eastern, to learn why good security staff really are not hard to find, if you know what to look for.

Woe is you. You're desperately looking for someone to fill that vacant security position -- to protect your company and to soothe the other hellishly overworked security staff -- but you cannot find anyone qualified for the position.

You may be feeling bad for yourself, but here's the thing: It's all your fault.

Want to know why it's your fault and how to fix it? Then join us tomorrow -- Wednesday, May 28 -- at 1:00 p.m. Eastern Time for the next episode of Dark Reading Radio: "The Real Reason You Can't Fill Vacant Security Jobs."

My guests will be Julie Peeler, head of the ISC(2) foundation, and Mark Aiello, president of Boston-based cyber security staffing firm Cyber360 Solutions. In this episode we will discuss some of the findings of the security section of the InformationWeek IT Salary Survey and explain what they mean to you. Such as:

Security professionals earn more than the average IT worker. The median base salary of IT staff overall is $88,000 annually, compared with $98,000 for security staff. The base salaries of managers are $112,000 and $125,000, respectively. Maybe you are having trouble finding or keeping security staff because you're not paying them enough.

None of the security managers who responded to the survey and only 3 percent of the security staff respondents are age 25 or under. Seventy-eight percent of staff and 87 percent of managers are ages 36 and over. The median number of years that the survey respondents (security staff and management alike) have spent working in the IT profession (security or otherwise) is 18. If you think that you're going to find security professionals in their early 20s who have CISSPs and degrees from prestigious four-year colleges, who will work for $50,000 a year, you are sorely mistaken. Young talent is out there -- maybe you just aren't looking in the right places.

Two-thirds of both staff and managers say they are at least satisfied with their jobs, if not “very satisfied.” And yet 45 percent of staff and 44 percent of managers are looking for new jobs to some degree. Security staff feel so secure in their jobs that they feel confident asking for more money and benefits. If your security pros keep leaving for better jobs, maybe you aren't trying hard enough to retain them.

This will be an essential conversation for anyone who hires security staff and a valuable discussion for everyone in security who wants a better idea of what they're really worth (and how to make sure they get every penny of it).

So register now and join us Wednesday at 1:00 p.m. Eastern Time. Have questions for the guests? Share them in the comments section below or bring them along to the show Wednesday -- we'll be taking questions from the live audience and the guests will join the audience in a live text chat following the broadcast.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
fabipefi
50%
50%
fabipefi,
User Rank: Apprentice
7/28/2014 | 2:51:31 PM
Re: Certifications vs Experience
"As Governor, I'll battle regarding jobs and Iowa employees, not outsource jobs like my Democratic challenger and Governor Master," Hulsey stated.

The evaluation demonstrates how Burke company-has her father's organization Journey bicycles that outsourcing over 99PERCENT of the production to Taiwan and China wherever they spend employees less than MONEYTHREE each hour.

Condition Consultant Brett Hulsey MNS acts about the Assemblage Work, Power, and Tourisms Committees, offers university levels in Politics Economy and Organic Technology, was a Dane County Boss regarding fourteen decades, has an energy and ecological consulting company, and assisted develop two sophisticated Iowa bioenergy crops.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
5/28/2014 | 5:29:35 PM
Re: Certifications vs Experience
What I have experienced is that the individuals who have the large laundry list of certifications generally view certs as the finish line.  Some of the most talented security professionals I know do not have a single cert.  The difference is in passion for security of the quest for money.
Paladium
100%
0%
Paladium,
User Rank: Moderator
5/28/2014 | 7:58:27 AM
Certifications vs Experience
Wanted to add to the discussion.  I have seen my share of over certified security professionals that do not have the necessary hands on experience to support their wealth of certifications.  This can be a trap for an organization who 1) do not understand what the problem is they are trying to address in the vacancy, 2) large quantities of certifications give the impression of "knowledge", often over riding candidates who have extensive hands on practical experience in the field.  Certifications do not mean that the individual can fill the role effectively, or bring the necessary wisdom of cause and effect analysis (especially in IR events).

As a rule of thumb I look for three years of direct hands on experience PER security certification.  If they have a CEH then I want to see three years of CEH hands on experience.  If its a management role then I want to see five years of direct management experience to support that CISM certification. Certifications should be a capstone achievement that *supports* a security professionals accomplishments within the cyber security space.  It must never be a replacement for.  

I personally think there is a certification mill out there that is making a lot of money for educational firms, but producing very little actual hands on experienced candidates to pull from.  Great for the education business, not so good for those of us on the front line.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/27/2014 | 8:56:34 PM
Moderate Fear?
I'd be interested to know how many companies are short on security staff not due to salary but due to a moderate to high fear that hiring talented security professionals opens them up to a potential breach.  Whether the fear is founded or not, I've seen it at work (my perception, not putting words in mouths), and good assets who were rough around the edges were passed over for cleaner but less talented hackers.  Trust is huge, especially when the talent you're looking at might have a criminal record, but it's part of the hiring dance and sometimes a bigger deal breaker than salary.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/27/2014 | 4:10:01 PM
important topic
This should be a very enlightening and relevant discussion. Can't wait to tune in!
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?